diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java index c36540db3..bb9b0a9fa 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java @@ -64,7 +64,10 @@ public CipherSuiteGuidelineCheck( public GuidelineCheckResult evaluate(ServerReport report) { List nonRecommended = this.nonRecommendedSuites(report); return new CipherSuiteGuidelineCheckResult( - getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended); + getName(), + GuidelineAdherence.of(nonRecommended.isEmpty()), + nonRecommended, + recommendedCipherSuites); } @Override diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java index 376122ca7..e581aedcf 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java @@ -64,10 +64,16 @@ public GuidelineCheckResult evaluate(ServerReport report) { } } return new HashAlgorithmsGuidelineCheckResult( - getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended); + getName(), + GuidelineAdherence.of(nonRecommended.isEmpty()), + nonRecommended, + recommendedAlgorithms); } else { return new HashAlgorithmsGuidelineCheckResult( - getName(), GuidelineAdherence.CHECK_FAILED, Collections.emptySet()); + getName(), + GuidelineAdherence.CHECK_FAILED, + Collections.emptySet(), + recommendedAlgorithms); } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java index f8a2dd6e6..b2e5d2644 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java @@ -103,7 +103,7 @@ public GuidelineCheckResult evaluate(ServerReport report) { return new NamedGroupsGuidelineCheckResult(getName(), GuidelineAdherence.ADHERED); } else { return new NamedGroupsGuidelineCheckResult( - getName(), GuidelineAdherence.VIOLATED, nonRecommended); + getName(), GuidelineAdherence.VIOLATED, nonRecommended, recommendedGroups); } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java index a298b8df6..da580e2fa 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java @@ -63,10 +63,13 @@ public GuidelineCheckResult evaluate(ServerReport report) { } } return new SignatureAlgorithmsGuidelineCheckResult( - getName(), GuidelineAdherence.of(notRecommended.isEmpty()), notRecommended); + getName(), + GuidelineAdherence.of(notRecommended.isEmpty()), + notRecommended, + recommendedAlgorithms); } else { return new SignatureAlgorithmsGuidelineCheckResult( - getName(), GuidelineAdherence.CHECK_FAILED, null); + getName(), GuidelineAdherence.CHECK_FAILED, null, recommendedAlgorithms); } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java index f2a0a19b0..d2f41b20e 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java @@ -60,7 +60,10 @@ public GuidelineCheckResult evaluate(ServerReport report) { } } return new X509SignatureAlgorithmGuidelineCheckResult( - getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended); + getName(), + GuidelineAdherence.of(nonRecommended.isEmpty()), + nonRecommended, + recommendedAlgorithms); } @Override diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java index 8a5d81076..5b762a305 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java @@ -88,7 +88,7 @@ public GuidelineCheckResult evaluate(ServerReport report) { } if (algorithms == null || algorithms.isEmpty()) { return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( - getName(), GuidelineAdherence.CHECK_FAILED, null); + getName(), GuidelineAdherence.CHECK_FAILED, null, recommendedAlgorithms); } Set notRecommended = new HashSet<>(); for (SignatureAndHashAlgorithm alg : algorithms) { @@ -96,9 +96,11 @@ public GuidelineCheckResult evaluate(ServerReport report) { notRecommended.add(alg); } } - return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( // TODO this needs to - // be a new result now - getName(), GuidelineAdherence.of(notRecommended.isEmpty()), notRecommended); + return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( + getName(), + GuidelineAdherence.of(notRecommended.isEmpty()), + notRecommended, + recommendedAlgorithms); } @Override diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java index 4f307a450..8f7ef52bc 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java @@ -17,6 +17,7 @@ public class CipherSuiteGuidelineCheckResult extends GuidelineCheckResult { private final List notRecommendedSuites; + private final List recommendedSuites; public CipherSuiteGuidelineCheckResult( String checkName, @@ -24,6 +25,17 @@ public CipherSuiteGuidelineCheckResult( List notRecommendedSuites) { super(checkName, adherence); this.notRecommendedSuites = notRecommendedSuites; + this.recommendedSuites = null; + } + + public CipherSuiteGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + List notRecommendedSuites, + List recommendedSuites) { + super(checkName, adherence); + this.notRecommendedSuites = notRecommendedSuites; + this.recommendedSuites = recommendedSuites; } @Override @@ -39,4 +51,8 @@ public String toString() { public List getNotRecommendedSuites() { return notRecommendedSuites; } + + public List getRecommendedSuites() { + return recommendedSuites; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java index 2ad02edbe..b0ddd5ffc 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java @@ -12,12 +12,14 @@ import de.rub.nds.protocol.constants.HashAlgorithm; import de.rub.nds.scanner.core.guideline.GuidelineAdherence; import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; +import java.util.List; import java.util.Objects; import java.util.Set; public class HashAlgorithmsGuidelineCheckResult extends GuidelineCheckResult { private final Set notRecommendedAlgorithms; + private final List recommendedAlgorithms; public HashAlgorithmsGuidelineCheckResult( String checkName, @@ -25,6 +27,17 @@ public HashAlgorithmsGuidelineCheckResult( Set notRecommendedAlgorithms) { super(checkName, adherence); this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = null; + } + + public HashAlgorithmsGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedAlgorithms, + List recommendedAlgorithms) { + super(checkName, adherence); + this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = recommendedAlgorithms; } @Override @@ -43,4 +56,8 @@ public String toString() { public Set getNotRecommendedAlgorithms() { return notRecommendedAlgorithms; } + + public List getRecommendedAlgorithms() { + return recommendedAlgorithms; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java index 5a2c9fe5f..5297b20ad 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java @@ -21,6 +21,7 @@ public class NamedGroupsGuidelineCheckResult extends GuidelineCheckResult { private Set notRecommendedGroups; private List missingRequired; private Integer groupCount; + private List recommendedGroups; public NamedGroupsGuidelineCheckResult(String checkName, GuidelineAdherence adherence) { super(checkName, adherence); @@ -32,6 +33,16 @@ public NamedGroupsGuidelineCheckResult( this.notRecommendedGroups = notRecommendedGroups; } + public NamedGroupsGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedGroups, + List recommendedGroups) { + super(checkName, adherence); + this.notRecommendedGroups = notRecommendedGroups; + this.recommendedGroups = recommendedGroups; + } + public NamedGroupsGuidelineCheckResult( String checkName, GuidelineAdherence adherence, List missingRequired) { super(checkName, adherence); @@ -77,4 +88,8 @@ public List getMissingRequired() { public Integer getGroupCount() { return groupCount; } + + public List getRecommendedGroups() { + return recommendedGroups; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java index 20866b436..7e0217f1e 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java @@ -12,12 +12,14 @@ import de.rub.nds.protocol.constants.SignatureAlgorithm; import de.rub.nds.scanner.core.guideline.GuidelineAdherence; import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; +import java.util.List; import java.util.Objects; import java.util.Set; public class SignatureAlgorithmsGuidelineCheckResult extends GuidelineCheckResult { private final Set notRecommendedAlgorithms; + private final List recommendedAlgorithms; public SignatureAlgorithmsGuidelineCheckResult( String checkName, @@ -25,6 +27,17 @@ public SignatureAlgorithmsGuidelineCheckResult( Set notRecommendedAlgorithms) { super(checkName, adherence); this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = null; + } + + public SignatureAlgorithmsGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedAlgorithms, + List recommendedAlgorithms) { + super(checkName, adherence); + this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = recommendedAlgorithms; } @Override @@ -43,4 +56,8 @@ public String toString() { public Set getNotRecommendedAlgorithms() { return notRecommendedAlgorithms; } + + public List getRecommendedAlgorithms() { + return recommendedAlgorithms; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java index ea3e26455..9ea0ca796 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java @@ -12,6 +12,7 @@ import de.rub.nds.scanner.core.guideline.GuidelineAdherence; import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm; +import java.util.List; import java.util.Objects; import java.util.Set; @@ -19,6 +20,7 @@ public class SignatureAndHashAlgorithmsCertificateGuidelineCheckResult extends GuidelineCheckResult { private final Set notRecommendedAlgorithms; + private final List recommendedAlgorithms; public SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( String checkName, @@ -26,6 +28,17 @@ public SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( Set notRecommendedAlgorithms) { super(checkName, adherence); this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = null; + } + + public SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedAlgorithms, + List recommendedAlgorithms) { + super(checkName, adherence); + this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = recommendedAlgorithms; } @Override @@ -44,4 +57,8 @@ public String toString() { public Set getNotRecommendedAlgorithms() { return notRecommendedAlgorithms; } + + public List getRecommendedAlgorithms() { + return recommendedAlgorithms; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java index 99b5e3fd0..36b9cfb21 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java @@ -12,12 +12,14 @@ import de.rub.nds.scanner.core.guideline.GuidelineAdherence; import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; import de.rub.nds.x509attacker.constants.X509SignatureAlgorithm; +import java.util.List; import java.util.Objects; import java.util.Set; public class X509SignatureAlgorithmGuidelineCheckResult extends GuidelineCheckResult { private final Set notRecommendedAlgorithms; + private final List recommendedAlgorithms; public X509SignatureAlgorithmGuidelineCheckResult( String checkName, @@ -25,6 +27,17 @@ public X509SignatureAlgorithmGuidelineCheckResult( Set notRecommendedAlgorithms) { super(checkName, adherence); this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = null; + } + + public X509SignatureAlgorithmGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedAlgorithms, + List recommendedAlgorithms) { + super(checkName, adherence); + this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = recommendedAlgorithms; } @Override @@ -43,4 +56,8 @@ public String toString() { public Set getNotRecommendedAlgorithms() { return notRecommendedAlgorithms; } + + public List getRecommendedAlgorithms() { + return recommendedAlgorithms; + } } diff --git a/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java new file mode 100644 index 000000000..f126dd883 --- /dev/null +++ b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java @@ -0,0 +1,56 @@ +/* + * TLS-Scanner - A TLS configuration and analysis tool based on TLS-Attacker + * + * Copyright 2017-2023 Ruhr University Bochum, Paderborn University, Technology Innovation Institute, and Hackmanit GmbH + * + * Licensed under Apache License, Version 2.0 + * http://www.apache.org/licenses/LICENSE-2.0.txt + */ +package de.rub.nds.tlsscanner.serverscanner.guideline.results; + +import static org.junit.jupiter.api.Assertions.*; + +import de.rub.nds.scanner.core.guideline.GuidelineAdherence; +import de.rub.nds.tlsattacker.core.constants.CipherSuite; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import org.junit.jupiter.api.Test; + +public class CipherSuiteGuidelineCheckResultTest { + + @Test + public void testRecommendedSuitesField() { + List recommendedSuites = + Arrays.asList( + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + List notRecommendedSuites = + Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA); + + CipherSuiteGuidelineCheckResult result = + new CipherSuiteGuidelineCheckResult( + "Test Check", + GuidelineAdherence.VIOLATED, + notRecommendedSuites, + recommendedSuites); + + assertEquals(recommendedSuites, result.getRecommendedSuites()); + assertEquals(notRecommendedSuites, result.getNotRecommendedSuites()); + assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence()); + } + + @Test + public void testBackwardCompatibility() { + List notRecommendedSuites = + Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA); + + CipherSuiteGuidelineCheckResult result = + new CipherSuiteGuidelineCheckResult( + "Test Check", GuidelineAdherence.VIOLATED, notRecommendedSuites); + + assertNull(result.getRecommendedSuites()); + assertEquals(notRecommendedSuites, result.getNotRecommendedSuites()); + assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence()); + } +} diff --git a/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResultTest.java b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResultTest.java new file mode 100644 index 000000000..aefd68acc --- /dev/null +++ b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResultTest.java @@ -0,0 +1,56 @@ +/* + * TLS-Scanner - A TLS configuration and analysis tool based on TLS-Attacker + * + * Copyright 2017-2023 Ruhr University Bochum, Paderborn University, Technology Innovation Institute, and Hackmanit GmbH + * + * Licensed under Apache License, Version 2.0 + * http://www.apache.org/licenses/LICENSE-2.0.txt + */ +package de.rub.nds.tlsscanner.serverscanner.guideline.results; + +import static org.junit.jupiter.api.Assertions.*; + +import de.rub.nds.protocol.constants.HashAlgorithm; +import de.rub.nds.scanner.core.guideline.GuidelineAdherence; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; +import org.junit.jupiter.api.Test; + +public class HashAlgorithmsGuidelineCheckResultTest { + + @Test + public void testRecommendedAlgorithmsField() { + List recommendedAlgorithms = + Arrays.asList(HashAlgorithm.SHA256, HashAlgorithm.SHA384); + Set notRecommendedAlgorithms = + new HashSet<>(Collections.singletonList(HashAlgorithm.SHA1)); + + HashAlgorithmsGuidelineCheckResult result = + new HashAlgorithmsGuidelineCheckResult( + "Test Check", + GuidelineAdherence.VIOLATED, + notRecommendedAlgorithms, + recommendedAlgorithms); + + assertEquals(recommendedAlgorithms, result.getRecommendedAlgorithms()); + assertEquals(notRecommendedAlgorithms, result.getNotRecommendedAlgorithms()); + assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence()); + } + + @Test + public void testBackwardCompatibility() { + Set notRecommendedAlgorithms = + new HashSet<>(Collections.singletonList(HashAlgorithm.SHA1)); + + HashAlgorithmsGuidelineCheckResult result = + new HashAlgorithmsGuidelineCheckResult( + "Test Check", GuidelineAdherence.VIOLATED, notRecommendedAlgorithms); + + assertNull(result.getRecommendedAlgorithms()); + assertEquals(notRecommendedAlgorithms, result.getNotRecommendedAlgorithms()); + assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence()); + } +} diff --git a/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/report/GuidelineResultSerializationTest.java b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/report/GuidelineResultSerializationTest.java new file mode 100644 index 000000000..d49839c95 --- /dev/null +++ b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/report/GuidelineResultSerializationTest.java @@ -0,0 +1,165 @@ +/* + * TLS-Scanner - A TLS configuration and analysis tool based on TLS-Attacker + * + * Copyright 2017-2023 Ruhr University Bochum, Paderborn University, Technology Innovation Institute, and Hackmanit GmbH + * + * Licensed under Apache License, Version 2.0 + * http://www.apache.org/licenses/LICENSE-2.0.txt + */ +package de.rub.nds.tlsscanner.serverscanner.report; + +import static org.junit.jupiter.api.Assertions.*; + +import com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility; +import com.fasterxml.jackson.annotation.PropertyAccessor; +import com.fasterxml.jackson.databind.ObjectMapper; +import de.rub.nds.protocol.constants.HashAlgorithm; +import de.rub.nds.protocol.constants.SignatureAlgorithm; +import de.rub.nds.scanner.core.guideline.GuidelineAdherence; +import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; +import de.rub.nds.scanner.core.guideline.GuidelineReport; +import de.rub.nds.tlsattacker.core.constants.CipherSuite; +import de.rub.nds.tlsattacker.core.constants.NamedGroup; +import de.rub.nds.tlsscanner.serverscanner.guideline.results.CipherSuiteGuidelineCheckResult; +import de.rub.nds.tlsscanner.serverscanner.guideline.results.HashAlgorithmsGuidelineCheckResult; +import de.rub.nds.tlsscanner.serverscanner.guideline.results.NamedGroupsGuidelineCheckResult; +import de.rub.nds.tlsscanner.serverscanner.guideline.results.SignatureAlgorithmsGuidelineCheckResult; +import java.io.ByteArrayOutputStream; +import java.util.*; +import org.junit.jupiter.api.Test; + +public class GuidelineResultSerializationTest { + + @Test + void testCipherSuiteGuidelineCheckResultSerialization() throws Exception { + List recommendedSuites = + Arrays.asList( + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + List notRecommendedSuites = + Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA); + + CipherSuiteGuidelineCheckResult result = + new CipherSuiteGuidelineCheckResult( + "BSI TR-02102-2 Cipher Suite Check", + GuidelineAdherence.VIOLATED, + notRecommendedSuites, + recommendedSuites); + + String json = serializeResult(result); + + assertTrue(json.contains("\"recommendedSuites\"")); + assertTrue(json.contains("\"notRecommendedSuites\"")); + assertTrue(json.contains("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256")); + assertTrue(json.contains("TLS_RSA_WITH_AES_128_CBC_SHA")); + } + + @Test + void testHashAlgorithmsGuidelineCheckResultSerialization() throws Exception { + List recommendedAlgorithms = + Arrays.asList(HashAlgorithm.SHA256, HashAlgorithm.SHA384); + Set notRecommendedAlgorithms = + new HashSet<>(Collections.singletonList(HashAlgorithm.SHA1)); + + HashAlgorithmsGuidelineCheckResult result = + new HashAlgorithmsGuidelineCheckResult( + "Hash Algorithm Check", + GuidelineAdherence.VIOLATED, + notRecommendedAlgorithms, + recommendedAlgorithms); + + String json = serializeResult(result); + + assertTrue(json.contains("\"recommendedAlgorithms\"")); + assertTrue(json.contains("\"notRecommendedAlgorithms\"")); + assertTrue(json.contains("SHA256")); + assertTrue(json.contains("SHA1")); + } + + @Test + void testNamedGroupsGuidelineCheckResultSerialization() throws Exception { + List recommendedGroups = + Arrays.asList(NamedGroup.SECP256R1, NamedGroup.SECP384R1); + Set notRecommendedGroups = + new HashSet<>(Collections.singletonList(NamedGroup.SECP160K1)); + + NamedGroupsGuidelineCheckResult result = + new NamedGroupsGuidelineCheckResult( + "Named Groups Check", + GuidelineAdherence.VIOLATED, + notRecommendedGroups, + recommendedGroups); + + String json = serializeResult(result); + + assertTrue(json.contains("\"recommendedGroups\"")); + assertTrue(json.contains("\"notRecommendedGroups\"")); + assertTrue(json.contains("SECP256R1")); + assertTrue(json.contains("SECP160K1")); + } + + @Test + void testSignatureAlgorithmsGuidelineCheckResultSerialization() throws Exception { + List recommendedAlgorithms = + Arrays.asList(SignatureAlgorithm.RSA_PKCS1, SignatureAlgorithm.ECDSA); + Set notRecommendedAlgorithms = + new HashSet<>(Collections.singletonList(SignatureAlgorithm.DSA)); + + SignatureAlgorithmsGuidelineCheckResult result = + new SignatureAlgorithmsGuidelineCheckResult( + "Signature Algorithm Check", + GuidelineAdherence.VIOLATED, + notRecommendedAlgorithms, + recommendedAlgorithms); + + String json = serializeResult(result); + + assertTrue(json.contains("\"recommendedAlgorithms\"")); + assertTrue(json.contains("\"notRecommendedAlgorithms\"")); + assertTrue(json.contains("RSA_PKCS1")); + assertTrue(json.contains("DSA")); + } + + @Test + void testFullGuidelineReportSerialization() throws Exception { + List checkResults = new ArrayList<>(); + + // Add cipher suite result + checkResults.add( + new CipherSuiteGuidelineCheckResult( + "Cipher Suite Check", + GuidelineAdherence.VIOLATED, + Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA), + Arrays.asList(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256))); + + // Add hash algorithm result + checkResults.add( + new HashAlgorithmsGuidelineCheckResult( + "Hash Check", + GuidelineAdherence.ADHERED, + Collections.emptySet(), + Arrays.asList(HashAlgorithm.SHA256))); + + GuidelineReport report = + new GuidelineReport("BSI TR-02102-2", "https://www.bsi.bund.de/...", checkResults); + + ServerReport serverReport = new ServerReport(); + serverReport.addGuidelineReport(report); + + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + ServerReportSerializer.serialize(stream, serverReport); + String json = stream.toString(); + + assertTrue(json.contains("\"guidelineReports\"")); + assertTrue(json.contains("\"recommendedSuites\"")); + assertTrue(json.contains("\"recommendedAlgorithms\"")); + } + + private String serializeResult(GuidelineCheckResult result) throws Exception { + ObjectMapper mapper = new ObjectMapper(); + mapper.setVisibility(PropertyAccessor.GETTER, Visibility.NONE); + mapper.setVisibility(PropertyAccessor.FIELD, Visibility.ANY); + + return mapper.writeValueAsString(result); + } +}